From owner-freebsd-security@FreeBSD.ORG Sun Sep 30 01:50:30 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4615416A418 for ; Sun, 30 Sep 2007 01:50:30 +0000 (UTC) (envelope-from dexterclarke@Safe-mail.net) Received: from tapuz.safe-mail.net (tapuz.safe-mail.net [213.8.161.230]) by mx1.freebsd.org (Postfix) with ESMTP id 051CC13C457 for ; Sun, 30 Sep 2007 01:50:29 +0000 (UTC) (envelope-from dexterclarke@Safe-mail.net) Received: by tapuz.safe-mail.net with Safe-mail (Exim 4.52) id 1Iblqg-0002nU-7v for freebsd-security@freebsd.org; Sat, 29 Sep 2007 19:35:50 -0400 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=N1-0105; d=Safe-mail.net; b=z8TByIdWFhRTlu/N0Zz2BxXrTAA1aJojvjueh+i4fBgi7Cuxxf6T6RiMbpcdiAGS ZY3wg8uGxVVyAMrognsKVPvv1rW6STAeKQRLDkZsk54dTfhBup6kqE0ln/lIJrHG i8w8tqGCxut0ZDThfF0bAcftQXSUHTBoACwLs1oVI4A=; Received: from pc ([81.86.41.187]) by Safe-mail.net with https Date: Sat, 29 Sep 2007 19:35:50 -0400 From: dexterclarke@Safe-mail.net To: freebsd-security@freebsd.org X-SMType: Regular X-SMRef: N1-ZxJOyEVi1H Message-Id: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-SMSignature: Ju+c4rMnNMQcLJKUuEOQnl1F7xXF/4lNxLFrC2Bw8yY2C7fesWtkPr7nebTR+ZnX G+Zdqhp+wxrCkNq6lLuKtTsBRRE+y5k/X3pb7G8jvqZhBzM5Q6Rfj61MbAfv3FkC A14T1fccND05QIXSGTbXGIWzcZciaaGnz7if4jgy/Is= Subject: Why are audit events apparently non-attributable? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 30 Sep 2007 01:50:30 -0000 So I'm exploring AUDIT and have this in /etc/security/audit_control: dir:/var/audit flags:lo,fd minfree:20 naflags:lo policy:cnt filesz:0 I tell auditd to reread the config file with audit -s but no file deletion events are logged. I change the config file to: dir:/var/audit flags:lo minfree:20 naflags:lo,fd policy:cnt filesz:0 I type audit -s and am immediately flooded with 20 kilobytes worth of audit records about file deletions. What I don't understand is why these file deletions are non-attributable? Surely if I sit there touching and removing files, the events should be very cleary attributed to me? Even more strange is that the events look like this: header,130,10,unlink(2),0,Sat Sep 29 20:48:46 2007, + 957 msec path,/var/tmp/vi.recover/vi.zhcey0 attribute,600,root,wheel,126,24774,98340 subject,-1,root,wheel,root,wheel,78355,0,0,0.0.0.0 return,success,0 trailer,130 To me, that looks like the event was attributed to 'root', so why does it only appear when using 'naflags' ie. non attributable events? Perhaps I misunderstand something fundamental. -- dc